IT's Attitude Problem

Few of our 446 respondents will change their IT strategies as result of the cloud. That spells lost opportunity.

Cloud computing has widened the already pronounced rift between business executives and stereotypical IT throwbacks who think data is safer on internal Windows 2008 servers that get patched every quarter, whether or not they need it. There are a few members of the latter camp among the 446 business technology professionals from companies with at least 50 employees responding to our InformationWeek 2013 State of Cloud Computing Survey. They made comments such as "I won't trust my checkbook to the cloud, why should I trust anything else?" and "Another IT fad filled [with] flaws and glitches."

These results reinforce a trend we saw in our recent Standardization Survey, which yielded this gem: 76% of IT professionals believe that it's better to err on the side of tighter standards, whereas only 55% of those same pros believe their companies' senior business leaders feel the same. This means IT is either inept at communicating why it does what it does (including resisting the cloud) or fundamentally misaligned with the needs and priorities of the organization. Unfortunately, based on our new cloud survey, we're pretty sure it's the latter.

The cloud's core benefit is that it lets us selectively outsource tasks we used to have to do ourselves. Tech organizations that use the cloud can focus on their core competencies and may need fewer IT resources, so it's no wonder that large IT departments are hostile to it. But as long as their answer to the cloud is like those survey comments -- idiosyncratic, irrational and irrelevant objections -- IT will gradually become less and less involved with the adoption, use and support of information technologies across their companies, as business units make their own "shadow" IT purchases.

Sadly, many respondents don't seem to get that. We saw only an 11% increase in infrastructure-as-a-service adoption compared with 2012, from 27% to 30% among companies using public cloud services, and don't anticipate significantly faster growth in the next 12 months.

Why the negativity? Our survey comprises primarily IT professionals -- executives, managers and staff -- at larger organizations; 62% have at least 1,000 employees, and companies with fewer than 50 employees were removed from the results. Given that, it's likely larger companies that are moving slowly. While this may seem prudent from a risk management (and job-keeping) perspective, it exposes these companies to significant competitive threats that may not be adequately captured in risk and opportunity evaluations.

There is some movement, however. We saw a 29% increase (14% to 18%) in the percentage of respondents who have replaced or fired a cloud provider. This speaks to one of the core advantages of outsourcing IT services: These shops are much less likely to have dedicated staff and hardware that can create inertia around the operational aspects of change. Instead, business needs are a larger part of the decision, and IT can implement changes faster.

We're not saying respondents don't have some valid concerns about the cloud. Let's look at a few.

>> Maturity: One striking survey result is a drop in use of software-as-a-service (57% to 49%) and platform-as-a-service (42% to 36%) from 2012 to 2013. However, we saw overall increases in cloud usage (33% to 40%), which showed up in virtualization for private and hybrid clouds (56% to 64%) and IaaS (27% to 30%). This suggests that companies are retreating from early adoption of services that may be too "beta" (like PaaS) or that cede too much control to cloud vendors (like SaaS).

>> Risk of security or performance problems: Most respondents now see using a cloud vendor as carrying equal or less risk than engaging a noncloud vendor (51% in 2013 vs. 45% in 2012), although very few see cloud vendors as being less risky (7%). Similarly, cloud vendors are seen as providing equal or better performance compared with on-premises applications, although the percentage saying so has dropped since 2012 (77% in 2013 vs. 81% in 2012), and fewer respondents say that cloud application performance is improving (34% in 2013 vs. 44% in 2012).

>> Loss of control: It makes sense that companies want to adopt new technologies slowly. Moreover, the cloud ultimately is about handing over control; in the case of SaaS, business units can (theoretically) own the relationships with vendors, cutting IT out entirely. If CIOs want to retain influence, we would expect to see greater adoption of IaaS as well as virtualization and private cloud, which are arguably less disruptive to the control structure than SaaS and PaaS. And this is exactly what we find in the 12-month planning question, where planned IaaS adoption among those using or expecting to use cloud services has jumped 42% compared with 2012.

Gartner has been so bold as to predict the "end of the traditional sourcing model" in favor of cloud-based services, with SaaS, PaaS and IaaS taking more market share than traditional sourcing by 2015. Trending data from our State of the Cloud Survey since 2010 shows companies that adopt cloud computing generally aren't going back to on-premises deployments. In other words, the cloud isn't all hype; it does deliver, otherwise services would be rolling back to internal IT. Startups, non-IT business units, consumers and the media all recognize the value. It's painfully ironic that the biggest source of griping and inertia is the department that could benefit the most.

The biggest similarity I see between your comments are broad, sweeping generalizations about entire categories without any acknowledgement about trade-offs and the differences within categories.

The business agility (and cost) benefits of using cloud infrastructures are significant. Are there security risks? Yes, and you need to deal with them appropriately. But your overall argument takes an arc that's similar to, "the world is a big, bad place, and so it's better to stay under your covers". The reality is that there is no panacea--running in an on-premises data center exposes you to significantly worse social engineering risks than a properly-executed public cloud strategy (meaning data encrypted in flight and at rest, with property identity management), and your on-premises data center is going to have far worse physical security than, say, Amazon Web Services.

This is about risk-risk tradeoffs, not "everything is totally safe and fine in my data center and the big, bad world is really dangerous out there."

My article is about an attitude problem--an attitude that the cloud must be bad by presumption, and therefore rational decision-making goes out the window. Your attitude in your posts is exactly what I'm talking about.

I fully agree with you regarding the different classifications of "Data." The point I was trying to address surrounds the inappropriate early adoption of technologies. And unfortunately, the truth of my arguments are bearing out in recent news. Consider it like this, once you put anything on the outside of your internal business infrastructure, no matter how sensitive or trivial, it's security is compromised. Period end of story. You can thank Homeland Security and Congress for that. Now consider the driving discussion in the boardroom of most corporations is the fiscal "bottom line." Without relying on the IT executive's professional caution, businesses are placing the sensitive and confidential data in the same bin as the "safe public consumption" data. The reason why is because the vendors are not properly disclosing the limitations of the solutions they are selling and with good reason. They are not disclosing these critical issues, because if they did, not one company would use them as a solution provider.Specifically regarding data types now, to be clear. I have been an Internet Host provider since 1995. By working with clients over the years I have seen firsthand the lessons learned as people implemented solutions hastily and without proper testing. The sad thing is that the basic issues are the same, just with a new way of exposing the risks. The belief in a safe and secure shared mainframe (or cloud) exposed to the world is simply a myth. And whoever tries to tell you otherwise does not have your best interest at heart or is a complete technology novice.At this point the decision makers have clouds in their eyes and need the wake-up call before more real money is lost due to poor decision making. Once the spell is broken, then real solutions can be explored like hybrid cloud models where physical separation layers sequester critical data and expose only to the internet access and control as truly appropriate. Security is hard to make sexy, but now more than ever it needs to be.

The question is whether you lead with fear and a default position of not adopting new technology (as your comment shows), or whether you lead with business reasons and how you'll be able to serve them efficiently and effectively.

The biggest issue I have with your views (as expressed in your comment, at least), is that you appear to view "Data" as a monolithic entity. It is not. There is critical data which you should not store in "a migrant data center", and then there is data that is much less critical and does not need to be subjected to such strong controls. If IT continues to want to have a single solution for information security, it will hold the organization back.

There are certainly some use cases that can't be put in the cloud, but it's hard for me to understand exactly what your complaint is with the overall argument. The number of organizations that need to put so much data into the cloud that bandwidth is a problem is a very small number.

Wow great way to connect with the target audience of Informationweek.. Refer to us as "throwbacks?" Hmm.. already makes me think you are not a technically literate writer but rather a newbie to the industry with less experience than the typical 90's AOL user carrying an MBA who still is looking for the "Any Key" on his keyboard.

Now insults traded let's hit the issue. The infamous cloud environment.. or to use some other titles "Return of the Big Iron computing model" or "Supercomputers on a budget" or "Security smecurity! This glossy brochure says its better" or try "Digital outsourcing with no regard for intellectual property, national security, or needless consumption of data transport infrastructure issues." They all apply directly. The cloud does have it's place, but replacing in-house data services for the sole benefit of the misunderstood bottom-line is not it.

There are key phrases that need to be heard, like "When the technology matures" that should send red flags up in every boardroom because it means early adoption could cost you your business. Certain aspects of a business are appropriate for outsourcing in IT due to the very nature of the services (Web presence is a good example.)A good rule of thumb is treating your firewall like the front door of your business, and your data like your merchandise product. What is ok to put on the sidewalk out front and what needs to stay behind the counter. If you are putting your cash drawer and key properties out on the sidewalk, please post me your address so I can come by and pick them up.A properly managed IT infrastructure for a business does have a firewall to the internet that is not wide open for everything (No matter how the C execs whine) to protect the internal infrastructure. The question is, how much has this critical set of protection layers been forced to be compromised to enable un-required outsource service integration? And what are the hidden costs involved when malicious intrusion and loss of data occurs (not if, I said when.) Should poor policy planning in this regard be exempted from culpability just because "everyone else is doing it?" I don't think so.

Your experienced IT staff (especially the dot com veterans) have lived through events and understand that the computing environment ecosystem really has not changed since the 80's. Sure there are new technologies and fashionable ways of getting jobs done, but Data is still just Data. You always need to ask "If my data is that valuable, where is the best place to manage and store it?" If you answer "outsourced to a migrant data center design that can end up housing the financial and intellectual property in foreign countries with well known disregard for the privacy desires you have about your data is the best idea..." well, I guess a career in business is really not for you. Nuff' said.

The author is being a bit of a fool. Actually, a lot more than a bit. The very FIRST consideration to a big cloud deployment is bandwidth per user. "Hmmm...1000 users...50 Mbps net connection...1 TB of data in the cloud. Nope, sorry, don't pass go, don't collect $200."

The first thing that anyone seriously considering cloud deployments needs is that their employees are spread out...well, like clouds. If you have few, if any IT-centric personnel working on 3G/4G/LTE, then what sense does the cloud make? And how many respondents fit the niche that their IT-centric employees are spread out, either stuck on mobile data or in such small numbers per site that the bandwidth numbers work? Top-end, about 10% maybe.

Come back and talk to me when you've got internet connections that average 10 Mbps per employee with unlimited data that cost, well, NOTHING, like a 10 Gbps LAN does, and then we'll talk. Until then, that 1 TB of data will stay on MY side of the 2.5 Mbps connection the 30 of us have to share.I'd love to get that data mirrored up on the cloud so those of us out of the building could get at the critical stuff working in the field--at a reasonable price, bulletproof availability, comprehensive security and fast access. But that ain't presently on offer. What is on offer just swamps what bandwidth we have when it comes to mirroring.The cloud ain't ready yet. And I'm not sure that the internet speeds and latency to make it ready will ever be ready. Terabyte storage and 10 Gbps LAN speeds mean that the Server/client architecture we've got ain't going anywhere, any time soon.

This falls under the responsibilityif the IT department and the C-level executives. It is the IT departmentsfailure to effectively communicate with the C-level executives, exactly how thecloud can benefit their organization. Itdepends on an organizational to organizational structure, but the cloud can alleviatehaving to do daily maintenance. On the other hand if your organization has theresources to complete these tasks in house, why not?

Lost opportunity for whom? Cloud vendors like the author? This should probably be flagged an opinion piece as it has very little substantive, non-biased information in it beyond the results of the survey.

I find it interesting that the author would declare those IT shops who see more risk than reward in a cloud as luddites or the next ones on the chopping block. It all goes back to the same types of risk/reward measurements that were made before virtualization became mainstream. If the perceived reward does not outweigh the perceived risk, guess what? - IT shops don't move that direction. Once the technology matured, shops migrated to virtualization.

The big argument made against virtualizing that I remember was the "all my eggs in one basket" argument. With that backgorund, one can imagine the objections to cloud services, where the perception is that it's not just "your eggs" in one basket (plus it is not even "your" basket), but everyone else's, too.

I think it is a little early in the game for the pundits (especially those with skin in the game) to start chastising large IT shops for not jumping on the cloud services boat that is still being built as it sails across the IT waters.

Gartner has released a couple reports this year which showthe growth of each particular section in cloud computing. Knowing themethodology of the report cited in this article, such as the target audience ofthe survey, itG«÷s no surprise this somewhat contradicts GartnerG«÷s findings, yetreflects the nature of the overall trend.

From a business perspective, a cloud is not much differentthan having an in house system as transparency to end users is a general goaland in many cases, a successful endeavor. The same amount of security threatsare present in either model, with some variation in potential susceptibility. Whenthe cloud market matures as a whole, flaws will ultimately seem to be an equaltrade-off when comparing a hosted to an in-house solution.

As the enterprise technology consumer becomes more educated,fluctuations in the overall market will likely stabilize. For example, the SaaSmarket may have dropped eight points, but it is still the highest utilizedcloud service which should continue for years to come.

Though IG«÷m an advocate for cloud computing, itG«÷s not a onesize fits all solution. Unless IT becomes better at communicating why certainprocesses are handled the way they are, as stated in the article, they will risklosing their jobs to a hosted service.

Software as a service is the clear No. 1 way enterprises consume cloud. InformationWeek's SaaS Innovation Survey reveals three tips to get the most from SaaS: Make it a popularity contest. Have an escape plan. And remember that identity is the new perimeter.